HITECH and HIPAA Compliance


Healthcare service providers have become key targets of identity theft crime due to the depth of personal, demographic, and financial information collected on patients. At ABMCG we understand security-related processes and the risks associated with electronic protected health information (ePHI).

HIPAA Compliance

The goal HIPAA is to ensure the integrity and confidentiality of health information, and to protect against security breaches and unauthorized use or disclosure of health information. Security provisions for the HIPAA compliance are designed to motivate healthcare service providers to adopt practices that reduce the risk of losing valuable patient information due to data theft from security breaches. To achieve HIPAA compliance, covered entities must demonstrate adherence to the security rule. The security rule mandates protection of all electronic Protected Health Information (PHI) created, received, maintained, or transmitted by any covered entity. PHI is individually identifiable health information, including items such as the patient’s name, address, e-mail address, birth date, Social security number, employee number, claim number and health plan beneficiary number. Covered entities must comply with three types of security safeguards: administrative, technical and physical. Specifically, sections §164.308 to §164.316 of the HIPAA security rule defines safeguards that must be used to protect confidential medical information.

HITECH Compliance

The goal of the HITECH Act is to improve patient confidence in the security of their data medical system, and improve the quality of patient care in the healthcare system by providing incentives for the adoption and ‘meaningful use’ of electronic health records (EHRs) shared over electronic health information exchange (HIE) networks. The new audit and enforcement requirements introduced by the HITECH Act are in response to the threat faced by healthcare services providers as more patient information moves into EHRs, online employee health benefit plan portals, and e-prescription kiosks accessible via the Internet.

Who needs to be HIPAA and HITECH compliant?

The U.S. Department of Health and Human Services (HHS) delegated HIPAA enforcement authority to the HHS Office of Civil Rights (OCR). The HITECH Act clarified that all health service entities, including business associates in the private sector, that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses protected health information (PHI) is accountable to HHS for HIPAA and HITECH requirements for breach prevention activities, audits, notifications, and penalties for disclosures.

This includes:

  • Covered health care providers (hospitals, clinics, regional health services, individual medical practitioners) that conduct certain transactions in electronic form
  • Health care clearinghouses (including entities that help health care providers and health plans standardize their information)
  • Health plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit PHI to enroll employees or students in health plans)
  • Their business associates (including private sector vendors and third-party administrators)

Penalties for non-compliance

The HITECH Act permits state attorney general’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up $50,000 fine for each violation, to a maximum of $1.5 million per year. The high fines levied on HIPAA violators reflect the importance of safeguarding protected health information. Faced with the looming threat of steep fines from failing to meet HIPAA data security requirements, the health service industry is seeking ways to become HIPAA compliant.

How We Can Help

We're here to help organizations that handle sensitive patient information achieve HIPAA compliance. Our solutions for healthcare services meet the Protected Health Information (PHI) safeguards required to achieve HIPAA compliance.

Here's how we'll prepare you for a HIPAA audit while providing sound vulnerability management practices that ensure that your entire infrastructure is protected from intruders:
  • Automating HIPAA audit requirements with pre-configured HIPAA compliance scanning and reporting for the broadest, deepest and most accurate vulnerability management solution
  • Providing both executive HIPAA summary reports for management and detailed HIPAA remediation plan
  • Performing internal scanning of your entire infrastructure in preparation for HIPAA audits by evaluating potential security risks to electronic PHI, including monitoring of system activity for vulnerability and patch status on devices with PHI
  • Performing external scanning to detect and fix any holes in your network perimeter

Our HIPAA Compliance Services staff also performs HIPAA risk assessment, and provides healthcare providers with documentation on their current security posture in accordance with HIPAA audit standards, including:
  • Defining policies and procedures to secure protected health information
  • Providing security experts to perform vulnerability scanning, penetration testing and a detailed audit of your networked environment to enable you to detect deficiencies more quickly and get recommendations for fixes that would prevent attacks.
  • Identifying protected health information (PHI) and unprotected health information
  • Providing remediation plan and report with detailed step-by-step instructions for vulnerability remediation to attain HIPAA Compliance
  • Providing Security Policy Review to evaluate all security policies and procedures, in addition to providing guidance on designing and implementing missing controls
  • ABMCG Security Awareness Training to provide staff with knowledge needed to secure PHI from electronic, physical and behavioral challenges that put data at risk.

Additional Information

If you would like additional information on Services/Industries Solutions or other ABMCG solutions or services, please contact us