HIPAA Compliance Services and Training

In the beginning, HIPAA had two initial purposes: the first was to ensure that employees could maintain their health insurance between jobs (portability) and the second was to ensure the privacy and security of patient information (accountability). The accountability portion of HIPAA has evolved over the years and this evolution requires that healthcare organizations maintain a high level of compliance toward safeguarding their patient’s medical information also known as PHI (Protected Health Information). HIPAA Compliance is ongoing and mandatory and HIPAA Compliance is necessary for your business.

Talk to a compliance expert »

5 Questions about HIPAA Compliance

Why is HIPAA Compliance relevant to my healthcare organization?

Healthcare organizations have an obligation to protect their patients’ electronic protected health information (ePHI) and physical protected health information (PHI) from internal and external threats. As custodians of ePHI/PHI, healthcare providers must deploy stringent ongoing administrative, technical, and physical safeguards to protect PHI/ePHI from possible data breaches.

What is required for HIPAA Compliance?

To satisfy the base requirements, your HIPAA Compliance training program should incorporate annual training on privacy, security and breach notification.  A Security Risk Assessment (SRA) should also be performed that provides both a risk mitigation plan as well as an operationally specific HIPAA Compliance manual.

Other aspects to HIPAA Compliance include the distribution of Notice of Privacy Practices, to have Business Associate Agreements with certain vendors and, to establish the roles of the Privacy Officer and Security Officer. These policies and procedures will be part of the HIPAA Compliance manual.

Who does HIPAA apply to?

HIPAA regulations apply to two types of groups: covered entities & business associates.

Covered entities are health plans, healthcare providers and healthcare clearinghouses. A business associate is defined by HHS as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Common examples of business associates include: IT contractors or Managed Service Providers, billing companies, collection companies, shredding companies, EMR companies, phone reminder companies, email services providers and consultants.

Does HIPAA Compliance require a Security Risk Assessment (SRA)?

A Security Risk Assessment is required by HIPAA regulations.  It is the first step in evaluating and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Could my practice be fined for lack of HIPAA Compliance?

The Federal government does not institute regulations without enforcement and in the case of HIPAA Compliance, there is a specific penalty structure for HIPAA violations. The Office of Civil Rights (OCR) is responsible for enforcing the HIPAA regulations.

The OCR would prefer to resolve HIPAA violations in a non-punitive matter, but will enforce necessary penalties for those healthcare organizations who aren’t being diligent in their efforts to comply with the HIPAA regulations.

Penalty structure for HIPAA violations »


Talk to a compliance expert »

How HealthCare Compliance Network assists with HIPAA Compliance.

Performing a Security Risk Assessment

A risk assessment helps your organization ensure that it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment could also reveal areas where your organization’s protected health information (PHI) might be at risk.



Assisting with Breach Determination & Notification Process

Your organization will experience HIPAA incidents. Making the proper determination of what is reportable and what is not, can save your organization time and money. If a breach has occurred, your organization must follow a specific reporting process.

Developing an Actionable Risk Management Plan

The Security Risk Assessment is only part one of a two part process. Once the risks have been identified, a risk management plan needs to be established to remeditate those risks.



Assisting with HHS-Office of Civil Rights Desk Audits

Once the breach is reported, the Office of Civil Rights may seek additional information to see how well your organization has been maintaining its HIPAA Compliance.

Customizing HIPAA Policies & Procedures and Form Development

HIPAA Policies & Procedures need to reflect the organization’s operational workflows. Forms for Authorization and Documentation need to have specific perimeters for HIPAA Compliance.



Creating specific HIPAA Online Training

Every year, your employees need to know the latest updates in Privacy and Security regulations. This is because, as technology evolves, your employees can be susceptible to phishing or other social engineering scenarios.

There are four categories used for the penalty structure for HIPAA violations:

  • Category 1: A violation that was not known and could not have been discovered with reasonable diligence.
  • Category 2: A violation that had reasonable cause, but not due to willful neglect.
  • Category 3: A violation due to willful neglect, but corrective action was taken.
  • Category 4: A violation due to willful neglect, where no attempt was made to correct the violation.

Each category of violation carries a separate fine.

  • Category 1: $100-$50,000 per violation, capped at $25,000 per year the issue persisted
  • Category 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
  • Category 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
  • Category 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000.

Bottomline: Your healthcare organization will never be 100% HIPAA compliant, but as along as there is an ongoing effort to audit, implement, train, document and maintain, the ‘willful neglect’ label can be avoided.

HealthCare Compliance Network, LLC
10 Technology Drive, Suite 322
Hudson, MA 01749

TEL: (855) 526-6754
EMAIL: info@hcompliance.com