The HIPAA rules apply to health care practitioners, called covered providers, who engage in covered transactions involving PHI. Covered transactions are defined as the conveyance of PHI electronically for the purpose of being paid by third party payors specifically including filing or making inquiries regarding insurance claims and claim status; insurance payment and remittance advice, coordination of insurance benefits; and insurance enrollment and benefit eligibility status. To put the matter briefly; if a practitioner communicates with an insurance company or other third party payor electronically (either using a computer or a fax machine connected to a computer) for the purpose of being paid for services then he or she becomes a covered entity under the HIPAA rules.
Organizational Survey: To start we gain an understanding of your organizational structure – only parts of your business may be subject to HIPAA. We also examine your PHI data inventory and mapping, your HIPAA compliance methodology and tools currently in place and other relevant factors. We then identify areas of HIPAA compliance risk requiring further examination. The Organizational Survey provides a summary of this discovery process.
Remediation Report: Based on the findings in the Organizational Survey, our team goes more deeply into your business processes in order to map them against the requirements of the Privacy Rule and Security Rule. We then provide a benchmarking of your organization to assess your HIPAA compliance standing. The Benchmarking Report provides a summary of your current HIPAA compliance posture as compared to the desired HIPAA compliance position.
Final assessment: Working with your compliance, IT, legal and other personnel, we construct a HIPAA Action Plan with immediate steps and a long-term roadmap for advancing the HIPAA compliance program to the desired compliance state and maintaining a compliant program thereafter. Our deliverables can become a key part of a due diligence record of your HIPAA compliance efforts for presentation to your Board of Directors and for recording ongoing updates.
Both PCI and HIPAA exist to protect different sensitive information in different ways. Therefore, being HIPPA compliant does not check the PCI compliance checkbox and vice-versa. Frustrating for many businesses who may have to manage both (and possible other) compliance frameworks. Now enter HITRUST Common Security Framework (CSF), which may be the future (at some point) of compliance as it attempts to harmonize many of the popular compliance frameworks. Specifically, HITRUST CSF