Ongoing HIPAA compliance for companies that manage and process patient health information.
Sword & Shield’s HIPAA Compliance Program (HCP) provides a cost-effective way for organizations to ensure on-going compliance with the HIPAA Security, Privacy, and Breach Notification Rules.
Healthcare Compliance is the Law
For covered entities and business associates, safeguarding patients’ electronic protected health information (ePHI) is required by law. The HIPAA Security Rule requires that a periodic risk assessment of an organization’s technical and non-technical safeguards be conducted.
Breaches of ePHI
Breaches of patient data have become a well-publicized and disturbing trend. Medical record data is worth 10 to 50 times more on the black market than credit card data1. Why? Because credit card information can be easily changed, while medical record information is lifelong.
For this reason, penalties for not being HIPAA compliant have increased dramatically over recent years, with fines ranging from $100 to $50,000 per violation (or per record) and a maximum penalty of $1.5 million per year for each violation2.
Even an alleged breach or frivolous complaint can result in an investigation of your organization by the Office for Civil Rights (OCR).
The Department of Health and Human Services maintains the HHS Wall of Shame website that posts all data breaches affecting more than 500 individuals per breach. As you can see, a breach can cost an organization not only in penalties and fines, but also damage to your reputation.
Achieving and Maintaining HIPAA Compliance
Technological advancements related to the creation, storage, and transmission of ePHI often out-pace an organization’s ability to ensure the necessary controls are in place to protect a patient’s information. Most organizations do not have the time, resources, or skill set to ensure their compliance with the HIPAA rules.
In addition, a requirement that may be necessary for a hospital or health system may not be reasonable for a physician practice or IT service provider.
Stay on Top of HIPAA Compliance
The HCP program is a partnership between Sword & Shield and your organization with the goal of achieving and maintaining a compliant state well beyond the initial assessment.
Sword & Shield’s HIPAA experts take the stress of compliance off you by helping to make sense of the HIPAA rules and how they apply to your business, as well as how they compare to state laws since you must adhere to the more stringent law.
Sword & Shield helps you to identify your risks and vulnerabilities, develop a remediation plan to increase your HIPAA compliance, and continues to work with you to maintain or improve compliance.
Through this process, Sword & Shield becomes a true security and compliance partner, engaging with you on upcoming changes to the HIPAA laws, OCR guidance, technology trends, and industry best practices.
What Our HIPAA Compliance Program Includes
Our consultants get to know your business, then apply their thorough HIPAA compliance knowledge to attest to the posture of your organization using the following steps:
HIPAA Risk Assessment
Sword & Shield’s HIPAA risk assessment identifies and documents your areas of risk associated with the creation, storage, transmission, and processing of ePHI in accordance with the HIPAA Privacy, Security, and Breach Notification Rules.
Sword & Shield analyzes the use of administrative, physical, and technical controls to eliminate or manage vulnerabilities that could be exploited by internal or external threats.
HIPAA Gap Analysis
Our HIPAA gap analysis compares the HIPAA rule requirements against your organization’s controls to identify and report gaps between your policies, procedures, systems, and applications.
The results of the gap analysis are used to create recommendations to assist with the remediation efforts required to reduce gaps and achieve HIPAA compliance.
Roadmap to Security and Compliance
Following delivery of the risk assessment and gap analysis reports, the Sword & Shield team develops a Roadmap to Security and Compliance (RSC). The RSC takes into consideration the controls that need to be addressed to lower risks and address compliance deficiencies. The initial RSC is considered a working document, developed in partnership with you, to build a plan with prioritized remediation tasks, task assignments, timelines, and estimated budgets.
HCP Trustmark and Documentation
Next, we provide you with a documentation package that includes the following:
- Trustmark logo
- Permission for use of the appropriate Trustmark
- Certificate suitable for framing
- Congratulatory letter that explains the certification and requirements for branding usage
- Template attestation language that can be included in a Business Associate Agreement
- Letter that can be sent to business associates and covered entities that defines the certification
As a full-service security and compliance firm, Sword & Shield offers a host of related solutions. In addition to the HCP, clients may opt for these related services:
1 FBI Cyber Division
2 U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
Ready to learn more? Get in-depth information on the HIPAA Compliance Program. Learn about the three certified HCP levels of compliance status, the certification criteria, and the program’s three phases:
Fast Track Your HIPAA Certification
Request a free HIPAA Compliance Program consultation.