The Health Insurance Portability and Accountability Act of 1996 (HIPPA) outlines the legal requirements regarding the use and disclosure of protected health information (PHI).
HIPPA defines two groups of organizations that need to be compliant:
Covered Entities: Any organization that directly collects, creates, or transmits electronic PHI. Most commonly: health care providers and health insurance providers.
Business Associates: Any organization that encounters PHI over the course of work they have been contracted to perform by a covered entity. This often manifests as a business associate storing, processing or transmitting PHI on behalf of a covered entity. Common business associates include: third party service providers, independent consultants, hosting companies, and attorneys.
There are several rules that these groups must adhere to:
Privacy Rule: Only applies to Covered Entities and defines patients’ right to PHI.
Security Rule: Applies to both Covered Entities and Business Associates and outlines security safeguards, policies and procedures that must be implemented.
Breach Notification Rule: Applies to both Covered Entities and Business Associates and defines breach notification requirements depending on the size and scope of a breach.
Omnibus Rule: An addendum to HIPPA, it requires that all business associates must be HIPPA compliant and requires Business Associated Agreements to be in place between a covered entity and a business associate prior to the sharing or transfer of PHI.
The GAI Cyber team has substantial expertise in navigating the various pitfalls surround HIPPA compliance. The most perilous of which is often inevitable: data breaches. Our team will evaluate your current security posture and existing compliance with HIPPA and tailor a roadmap that minimizes your risk surface to threat of non-compliancy.
Our team will validate your compliance with the HIPPA requirements and issue a detailed Report documenting your alignment with the regulation and any remedial actions that need to be taken.