It is vital that health care providers and professionals in healthcare IT understand HIPAA compliance, which ensures the security and privacy of protected health information (PHI). Other industries may also need to be HIPAA compliant, according to the judgment of Retail Insights, LLC. Actionable consumer insights are available through Retail Insights, which extracts a massive amount of data analytics from Point of Sale (POS) machines used by the company’s subscribers.

What Does HIPAA Compliance Involve?

HIPAA compliance is a defined set of industry standards that must be implemented by health care professionals and their vendors. For example, the two most critical of the HIPAA Rules are the HIPAA Security Rule and the HIPAA Privacy Rule. An effective compliance program must be established according to precise guidelines involving steps to create, deploy, and test HIPAA compliance.

Three components that healthcare providers and their vendors are required to address are administrative, technical, and physical, as follows:

• Administrative safeguards are related to creating and maintaining policies, documentation, procedures, and training of the staff. 
• Technical safeguards lay out the procedure for implementing the infrastructure of the network. This involves data encryption, data back-up, firewalls, and protection against malware.
• Physical safeguards include alarm systems and locks as well as access involving card-keys or, for larger companies, role-based access.

Compliance and Security are Required

HIPAA compliance means the integrity, confidentiality, and availability of a patient’s PHI are protected by following mandated guidelines for security. HIPAA compliance and security are inextricably linked.

Contact Aperio IT to learn more about HIPAA compliance for your business.

HIPAA is constantly changing an updating its regulations.? There are still tons of companies that are currently operating without even knowing they need to be HIPAA compliant.? It’s hard to stay on top of the all the changes so if you ever have any questions then please feel free to contact us about any questions you may have regarding HIPAA certification.? You may already be required and could face paying some hefty finds.? You have questions so call us at 916.568.6830 or contact us via form:

CONTACT US!

[contact-form-7 id=”1534″ html_class=”cf7_custom_style_3″]

Not every HIPAA security requirement is related to technology. Just two of the requirements to keep in mind when you work to make your company HIPAA compliant include Business Associate Agreements and Risk Assessment.

HIPAA Requirement for Business Associate Agreement

In addition to your IT department’s need to keep Protected Health Information (PHI) in electronic form secure, you need to consider issues not related to technology. For example, if a company you work with is considered a business associate under HIPAA, this means you must have a business associate agreement (BAA) in place with them before transmitting PHI to them. This BAA is a contract to uphold PHI security according to HIPAA guidelines. Failure to have the (BAA) in place at the proper time can result in fines and other penalties.

In a recent case, a surgical practice ended up having to settle with the Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) for $750,000 after it improperly disclosed several thousand patients’ PHI to a service provider without first entering into a BAA with the service provider. This service provider had agreed to digitize x-rays containing PHI, in exchange for extracting and keeping the silver from the x-ray film. While this provider’s service might not appear at first glance to be related to health care, the fact that the x-rays contained PHI and the provider “created, received, maintained, or transmitted” the PHI without a BAA in place made all the difference in this case.

HIPAA Requirement for Risk Assessment

HIPAA requires all covered entities, their business associates, and subcontractors of business associates to conduct a risk assessment. As stated in HIPAA these entities must, “…implement policies and procedures to prevent, detect, contain, and correct security violations.” Further, a risk assessment is defined as a, “…thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”

In another case, a Minnesota–based health care company paid a $1.5 million settlement after one of its business associates was investigated. A laptop containing PHI for the health care company’s patients had been stolen from the car of one of the business associate’s employees. The health care company was penalized both because there was no BAA in place between it and its business associate, and because it had not conducted an adequate analysis to the security threats to the PHI.

HIPAA Audits, Phase 2 – Business Associates May Also Be Audited

As we mentioned in our recent post, “Is Your Business Affected by HIPAA Regulations,” the OCR launched Phase 2 of its HIPAA Audit Program on March 21, 2016. In this phase, any covered entity or business associate may be audited. Per the OCR, these audits can involve onsite assessments or desk audits.

Need to Learn More about HIPAA Compliance?

If you’d like to learn more about how HIPAA compliance may affect your business, Aperio-IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.

You can also take a look at our previous HIPAA-related posts:

• “What Does HIPAA Mean?”
• “What Does Your IT Team Need to Know about HIPAA Compliance?”
• “HIPAA Trends That Could Affect Your Business”
• “Is Your Business Affected by HIPAA Regulations?”

SOX Compliance in Recent News

Although the Sarbanes-Oxley Act has been around since 2002, compliance remains a challenge. In a recent example, a Forbes article from this month explores reasons for Plantronics’ under-performance in the stock market and brings up concerns that Plantronics may be facing a Sarbanes-Oxley violation. The article mentions that the senior vice president of sales at Plantronics, “…was instructing employees who worked under him to delete e-mails that were clearly relevant and responsive to pending discovery having to do with the distributors that are at issue in this case.”

In our last several posts we’ve focused on HIPAA compliance. But of course HIPAA is only one of several areas companies need to keep in mind when it comes to compliance issues. Here’s a quick refresher on the Sarbanes-Oxley Act.

Intent of the Sarbanes-Oxley Act

The intent of the Sarbanes-Oxley Act (also known as Sarbox or SOX) was to protect investors by improving the reliability and accuracy of corporate disclosures. It was enacted in 2002 and while it applies primarily to public companies, the act also contains provisions for private companies. The provisions have to do with the willful destruction of evidence to impede a Federal investigation.

A major feature of the SOX Act is that it is designed to specify financial reporting responsibilities. This means that it should no longer be possible for CEOs and CFOs to claim that ignorance of financial issues means that they should not be held accountable for the accuracy of financial statements.

As a result of the SOX Act, leaders of an organization are held legally responsible for SOX compliance, facing possible monetary fines and imprisonment (up to twenty years) for failure to comply. Thus, even if a company’s IT department prepares SOX audit statements, those statements will need to be certified by the CEO.

What are some of the ways SOX Compliance has affected companies since SOX was enacted?

• Stronger audit committees and public companies, due to the act’s requirement that the audit committee members must be independent of top management.
• Increased costs, especially due to Section 404 of the act. This section requires extensive internal control tests and reporting. As a result of these costs, many companies have seen a need to focus on making their financial reporting more efficient.
• Strengthened public disclosure requirements.
• Stricter penalties for obstructing justice and for securities fraud.

What are the main IT concerns regarding SOX Compliance?

Most aspects of IT are affected by SOX compliance. SOX regulations mean that audit trails must be retained and auditable for five years. Any IT operation that involves financial data or activity may be affected. All forms of communication regarding finance and accounting must be tracked and archived in case of compliance audits.

What kinds of information does IT need to store with regard to SOX compliance, and how?

Generally speaking, all emails, spreadsheets, and documents used to arrive at final financial conclusions. For a more complete breakdown, see our post “What Does Your IT Team Need to Know about SOX Compliance.”

Learn more about the SOX Act:

• Basics of the SOX Act – SOX–Online
• Information on the Sarbanes–Oxley Act at the Securities and Exchange Commission’s (SEC’s) website.

Our previous posts regarding SOX Compliance:

• Making Sure Your Company Is SOX Compliant
• What Does Your IT Team Need to Know about SOX Compliance

REGISTER HERE:
http://events.r20.constantcontact.com/register/event?oeidk=a07ecnjnfc31de5b02d&llr=hxcf8qcab

APERIO IT, ALONG WITH LENOVO AND HIPAA PLUS, WILL BE HOSTING A FREE LUNCH AND LEARN EVENT THAT WILL START AT 11:30AM AND GOES UNTIL 1:30PM ON JUNE 8TH. WE WILL GO OVER SOME NEW HIPAA LAWS THAT WENT INTO EFFECT AND THEN HOLDING A ‘Q & A’ SESSION TO ANSWER ANY HIPAA RELATED QUESTIONS YOU MAY HAVE