compliance & standards

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") empowered the U.S. Department of Health & Human Services ("HHS") to promulgate the Security Rule, 45 C.F.R. Part 164.

The Security Rule requires Covered Entities to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of electronic protected health information ("ePHI") and to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.

HIPAA was expanded by the HITECH Act of 2009. The HITECH Act establishes stricter requirements for privacy and security of your patients' protected health information, and more aggressive enforcement by the Office of Civil Rights within HHS.

A data security breach caused from within your organization, or caused from outside your organization, including a breach caused by your Business Associates, could result in unwanted HHS audits, civil and criminal penalties, and embarrassing breach notifications to your patients. Now more than ever, protected storage of a Covered Entity's ePHI is a must.

If you are a Covered Entity, and your ePHI is vulnerable, you are vulnerable. However, there is a "Safe Harbor" within the Security Rule. If your ePHI is properly encrypted, no patient privacy is lost upon a data breach, as the data is unreadable. Thus, the data breach is not a reportable event to HHS or your patients, and not subject to civil and criminal penalties.