Ongoing HIPAA compliance for companies that manage and process patient health information.
Sword & Shield’s HIPAA Compliance Program (HCP) provides a cost-effective way for organizations to fulfill HIPAA compliance requirements and to ensure on-going compliance with the HIPAA Security, Privacy, and Breach Notification Rules.
HIPAA Compliance Rules
By enacting the HIPAA law, Congress mandated the establishment of Federal standards to ensure the confidentiality and the privacy of protected health information (PHI). Here is an explanation of each of the HIPAA compliance rules:
HIPAA Security Rule
For HIPAA covered entities and business associates, safeguarding patients’ electronic protected health information (ePHI) is required by law. The HIPAA Security Rule requires that a periodic risk assessment of an organization’s technical and non-technical safeguards be conducted.
HIPAA Privacy Rule
Key to an organization’s compliance is a comprehensive set of policies and procedures as required by the HIPAA Privacy Rule. A covered entity’s workforce members must be thoroughly trained on those policies which provide guidance on how to interact with patients and their sensitive data.
Breaches of PHI
Breaches of patient data have become a well-publicized and disturbing trend. Medical record data is worth 10 to 50 times more on the black market than credit card data1. Why? Because credit card information can be easily changed, while medical record information is lifelong.
For this reason, penalties for HIPAA violations have increased dramatically over recent years, with fines ranging from $100 to $50,000 per violation (or per record) and a maximum penalty of $1.5 million per year for each incident.
Even an alleged breach or frivolous complaint can result in an investigation of your organization by the Office for Civil Rights (OCR).
The Department of Health and Human Services maintains the HHS Wall of Shame website that posts all HIPAA data breaches affecting more than 500 individuals per breach. As you can see, a breach can cost an organization not only in penalties and fines, but also damage to your reputation.
Fulfilling HIPAA Compliance Requirements
Technological advancements related to the creation, storage, and transmission of ePHI often out-pace an organization’s ability to ensure the necessary controls are in place to protect a patient’s information. Most organizations do not have the time, resources, or skill set to ensure their compliance with the HIPAA rules.
In addition, a requirement that may be necessary for a hospital or health system may not be reasonable for a physician practice or IT service provider.
Maintaining HIPAA Compliance
The HIPAA Compliance Program is a partnership between Sword & Shield and your organization with the goal of achieving and maintaining HIPAA compliance well beyond the initial HIPAA risk assessment.
Sword & Shield’s HIPAA experts take the stress of compliance off you by helping to make sense of the HIPAA rules and how they apply to your business, as well as how they compare to state laws since you must adhere to the more stringent law.
Sword & Shield helps you to identify your risks and vulnerabilities, develop a remediation plan to increase your HIPAA compliance, and continues to work with you to maintain or improve compliance.
Through this process, Sword & Shield becomes a true security and compliance partner, engaging with you on upcoming changes to the HIPAA laws, OCR guidance, technology trends, and industry best practices.
What Our HIPAA Compliance Program Includes
Our HIPAA consultants get to know your business, then apply their thorough HIPAA compliance knowledge to attest to the posture of your organization using the following steps:
HIPAA Risk Assessment Service
Sword & Shield’s HIPAA risk assessment identifies and documents your areas of risk associated with the creation, storage, transmission, and processing of ePHI in accordance with the HIPAA Privacy, Security, and Breach Notification Rules.
Sword & Shield analyzes the use of administrative, physical, and technical controls to eliminate or manage vulnerabilities that could be exploited by internal or external threats.
HIPAA Gap Analysis Service
Our HIPAA gap analysis compares the HIPAA rule requirements against your organization’s controls to identify and report gaps between your policies, procedures, systems, and applications.
The results of the gap analysis are used to create recommendations to assist with the remediation efforts required to reduce gaps and achieve HIPAA compliance.
HIPAA Roadmap to Security and Compliance
Following delivery of the risk assessment and gap analysis reports, the Sword & Shield team develops a HIPAA Roadmap to Security and Compliance (RSC) to assist you in fulfilling your HIPAA compliance requirements. This HIPAA security and compliance roadmap takes into consideration the controls that need to be addressed to lower risks and address compliance deficiencies. The initial RSC is considered a working document, developed in partnership with you, to build a plan with prioritized HIPAA remediation tasks, task assignments, timelines, and estimated budgets.
HIPAA Compliance Program Trustmark and Documentation
Next, we provide you with a documentation package that includes the following:
- Trustmark logo
- Permission for use of the appropriate Trustmark
- Certificate suitable for framing
- Congratulatory letter that explains the certification and requirements for branding usage
- Template attestation language that can be included in a Business Associate Agreement
- Letter that can be sent to business associates and covered entities that defines the certification
HIPAA Compliance Related Services
As a full-service security and compliance firm, Sword & Shield offers a host of related solutions. In addition to the HCP, clients may opt for these related services:
Ready to learn more? Get in-depth information on the HIPAA Compliance Program. Learn about the three certified HCP levels of compliance status, the certification criteria, and the program’s three phases:
Fast Track Your HIPAA Certification
Request a free HIPAA Compliance Program consultation.