Compliance is a significant challenge
Covered entities and business associates are faced with complying with multiple regulatory requirements and industry standards. The challenge is to address compliance with limited resources. tw-Security brings the tools, methods, and expertise to address your compliance requirements and business objectives.
All covered entities and business associates are required to comply with the HIPAA Security Rule (Rule), however, the Rule is designed to be flexible, scalable, and technology-neutral. Recognizing the individuality of an organization, our risk assessment, a combination of compliance and risk analysis, determines what would be reasonable and appropriate to ensure the confidentiality, integrity, and availability of the protected health information (PHI) it creates, receives, maintains, or transmits.
The mindset has evolved from ‘trust, but verify’ to ‘confidence through validation.’ We will determine if perception (statements made during interviews), practices (assessed through observations), and policies (evidence) are aligned. We validate select controls, safeguards, and observe organizational and operational practices.
tw-Security can provide insight into what other “like” organizations are doing and share prevailing practices. Our capabilities and experience include strategic advisory consulting as well as assessing and evaluating programs, conducting gap analysis, and preparing for audits. We cross-reference policies and procedures for regulatory requirements and frameworks. Also, we remediate and report on compliance progress and program maturity.
Experience with regulations, standards, and frameworks
In addition to HIPAA, we have experience with the following:
- Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) [Cybersecurity Act of 2015 (CSA), Section 405(d)]
- Promoting Interoperability (MU/MIPS/MACRA) risk analysis
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Alignment with state requirements e.g. California Consumer Privacy Act (CCPA), Security, Privacy, and Breach Notification Washington State’s Office of the CIO and Data Share Agreements
- The Payment Card Industry Data Security Standard (PCI DSS)
- International Standards Organization (ISO 27001/2) including ISMS and ISO 22301 BCMS
- 42 CFR Part 2 -Substance Abuse Confidentiality Regulations
- HITRUST Common Security Framework
- COBIT (Control Objectives for Information and Related Technologies)
- IT Infrastructure Library (ITIL)
- Joint Commission
- SSAE 16 Type 1/Type 2 (SOC1/SOC2)
- General Data Protection Requirement (GDPR)
- Family Educational Rights and Privacy Act (FERPA)
HIPAA Safe Harbor Law
On January 5, 2021, HR 7898, HIPAA Safe Harbor law went into effect. Among other things, the law requires HHS, when calculating fines related to a security incident, to take into consideration the recognized security practices in place during the 12 months prior to the event.
According to the law, “the term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity … ”
“Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule,” it continues.
tw-Security provides a roadmap which, when properly followed, may result in a significant reduction in fines assessed by HHS following an incident.
For more on our program, click here (PDF viewer with zoom, download optional)
Payment Card Industry Cybersecurity
The payment card industry has its own set of regulations regarding cybersecurity compliance. You can read more at this link (PDF download):
HIPAA Audit Protocol and compliance
There is no government-approved accreditation process or certifying authority for determining if a business associate is complying with HIPAA. No product or service is “HIPAA Compliant.”
The HIPAA Omnibus Rule required that covered entities and their business associates meet requirements contained in the HIPAA Security Rule.
Business associates also are required to meet applicable provisions of the Privacy Rules, Breach Notification, and the HITECH Act. In addition, subcontractors to business associates that handle ePHI are also required to meet these requirements.
We base our evaluation process upon the audit test procedures in the OCR’s HIPAA Audit Protocol. These are the same audit test procedures used by the Office for Civil Rights (OCR) – the agency responsible for HIPAA enforcement. While there is a total of 169 criteria in the OCR’s audit protocol, not all criteria are of equal importance. Some criteria will not apply to a business associate and some test procedures are redundant.
We routinely monitor the Resolution Agreements and Corrective Action Plans posted on the Department of Health and Human Services (HHS) website. We know which criteria and what circumstances resulted in the OCR assessing a fine. Most importantly, we focus on the critical few versus the trivial many.
Compliance with HIPAA does not translate to a secure environment. The most common reason cited by the OCR for failing a HIPAA audit: Failure to conduct a thorough risk analysis. The HIPAA Audit Protocol does not address numerous areas of risk in today’s cybersecurity environment.
Working with you, we take the necessary steps to get you in compliance.