HIPAA Compliance and Risk Assessments
At Bedrock Technology, HIPAA Compliance is one of the highest priorities for our healthcare industry clients. We understand that Protected Health Information or PHI is vital to the medical industry and can be challenging to protect without the proper safeguards. As healthcare grows further into the digital age, it becomes difficult for professionals and entities to understand how to run their business under these complex regulations. Bedrock Technology offers comprehensive Security Risk Assessments for organizations that are required to complete regular Risk Assessments to comply with HIPAA. These assessments help organizations to identify areas of potential vulnerabilities and deficiencies in abiding by the regulations outlined in the Security Rule. We start the process by gathering a list of all of the assets in the organization that store, transmit, or process ePHI and use a variety of assessment tools to determine any potential vulnerabilities and HIPAA violations.
There are three main areas of an organization that must be assessed to determine if they comply with the regulations to protect PHI – Administrative, Technical, and Physical.
-
Administrative Safeguards: We review all policies and procedures, change logs, training records, etc. and perform a GAP analysis to uncover potential areas of vulnerability
-
Physical Safeguards: Walk-through and evaluate physical environment for vulnerability and HIPAA violations
-
Technical Safeguards: Review and assess existing safeguards such as configurations, security patches, antivirus, monitoring, firewalls, encryption, and intrusion detection systems
After gathering all of the vulnerabilities in the organization, we score each risk by the likelihood and impact on the business if the weakness were to be exploited.
In addition to showing all of the vulnerabilities we uncover, we also score the current administrative safeguards, physical safeguards, technical safeguards, and breach notification policies against the standards published by the National Institute of Standard and Technology (NIST). This provides a standard framework for consistency and follows generally accepted best practices upon which the HIPAA standards are based.
We also provide a list of recommendations to mitigate potential areas of risk. By law, organizations are required to try to minimize any “reasonably anticipated threats or hazard to the security or integrity of e-PHI.” HIPAA violations are costly for organizations – even if it is determined that the organization has no way of knowing they had a violation the maximum penalty is $50,000 per violation.
We recommend that all organizations complete Risk Assessments on an annual basis, even beyond healthcare organizations. Our comprehensive Risk Assessments can be customized for all businesses, and we recommend annual assessments to ensure the highest standard of cybersecurity.