HITECH & HIPAA Security Rule Assessment

The basic purpose of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule is to protect the confidentiality, integrity, and availability of electronic protected health information (EPHI) when it is stored, maintained, or transmitted.

The final HIPAA Security Rule requires each covered entity to assess its own security needs and risks and then devise, implement, and maintain appropriate measures as business decisions. Each entity must balance their resources and business requirements against the risks to EPHI. The growing number of state and federal regulations including MA 201 CMR 17, Red Flag Rules, and the HITECH Act has added even greater complexity to these struggles.

The SMP Solution

Information security plays a major role in compliance. SMP recommends that a covered entity or business associate begin with an EPHI Infrastructure Assessment that allows us to gather information about your entity’s information management and technology baselines and the controls related to information security.

The intent of an EPHI Infrastructure Assessment is  to develop a preliminary summary of your automation systems information systems, use of electronic information (including EPHI), and to understand the relationship of your organization’s IT security posture, both present and future, to your business needs. Through interviews, direct observation, and review of documents, SMP establishes the organization’s current state of compliance with the regulation. This is followed by further tests (Insert link to pop up which includes information below in red) to confirm that the reported controls are in place and working correctly. 

As part of SMP’s deliverable, we identify gaps and detail risks to information assets. Our report establishes a baseline against which progress towards HIPAA and all regulatory compliance can be measured. It assists in prioritizing and setting realistic targets, and it recommends steps to reduce each risk.

Additional testing may include:

  • Internal Assessment
  • External Assessment
  • Wireless Assessment
  • Application Assessment
  • Regulatory Compliance Review including HIPAA, HIPAA2, MA 201 CMR 17, Red Flag Rules, HITECH Act

HIPAA Assessment in Action

Read a case study showing how Security Management Partners and Cape Cod Healthcare partnered in a HIPAA Assessment to develop a preliminary summary of the organizations' information systems, use of electronic information (including EPHI) and current and future security posture vis a vis their business needs.