The Security Rule (2005)The Security Rule regulates cybersecurity and establishes guidelines for protecting electronic PHI (ePHI). The Security Rule uses the National Institute of Standards and Technology Risk Management Framework (NIST-RMF) 800-53 to set guidelines for safeguarding ePHI. The Security Rule establishes administrative, physical, and technical safeguards that entities who come into contact with PHI must implement.3
1. Administrative SafeguardsAdministrative safeguards require entities to document the activities they perform for HIPAA compliance. Some of the required activities include:
- Designating a Security Officer (Your Privacy and Security Officer can be the same person)
- Training all staff members who come in contact with PHI
- Completing a thorough Risk Assessment
- Documenting Security Policies and Procedures
- Designating a Security Officer
- Documenting a Disaster Recovery Plan
2. Physical SafeguardsPhysical safeguards regulate the way entities handle physical systems and equipment that contain PHI. Devices like servers and computers must be kept in a secure location. Any office or building where these devices that contain PHI are stored should have physical security, backup power, and fire suppression systems. Tracking employees’ and vendor access to the building is also a good idea. It’s important to keep detailed access logs of personnel that enter secure onsite spaces to control, monitor, and limit who sees PHI. If you use a Managed Service Provider or IT contractor, you must have a signed Business Associate or Business Associate Subcontractor Agreement with them.
3. Technical SafeguardsTechnical safeguards outline IT-related security practices to protect ePHI. HIPAA requires entities to encrypt data in three phases: at rest, in transit, and in storage. PHI transmitted via email should be sent using email encryption to safeguard the information as it passes from sender to recipient. Only the intended recipient can open an encrypted email, so sensitive information remains safe even when you send it to the wrong person. Examples of technical safeguards include:
- Assigning unique logins for users
- Setting automatic timeouts in systems containing PHI
- Using 2-factor authentication for all systems that hold ePHI
- Installing anti-malware software on devices
- Encrypting hard drives
- Password protecting all devices
- Locking desktop computers to workstations4
- Est. 700,000
- Health care providers who bill electronically
- Health plans that pay providers
- Medicare, Medicaid
- Private Health Plans
- Self-Insured Businesses
- Est. 2-3 million
- Companies that support Covered Entities
- Come in contact with ePHI or the systems that have it
Federal HIPAA Enforcements (Penalties)
- 2014 +215 = $14 million
- 2016 + 2017 = $42 million
- 2018 + 2019 = $41 million
HIPAA Guidance & Enforcement
- Business Associate Liability Fact Sheet (link) - BA's MUST
- Tennessee Imaging Practice $ 3 million Penalty (link)
- Failed to conduct an accurate and thorough assessment of their risks
- Failed to sign a business Associate Agreement with its IT support vendor and 3rd party data center
- March 2020 - 1 doctor medical practice - $ 100,000 (link)
- Failed to conduct an accurate and thorough assessment of their risk
Office of Civil Rights (OCR) has under went budget cuts for 2020. Say's it will make up budget cuts with enforcement. (link)
- Identifiable (18 different identifiers)
- Plus treatment and/or diagnostic information
- PHI in electronic form
- Words, images, voice files
- On any media
- HIPAA - Heath Insurance Portability & Accountability Act - 1996
- HITECH Act - 2009
- Privacy Rule - spoken, written, and electronic patient info
- Security Rule - framework for protecting electronic patient data
- Breach Notification Rule - patient notification & govt. reporting
- HIPAA Omnibus Final Rule - changed all 3 rules in 2013
We primarily focus on Organic SEO methods. This allows for companies to have a more long term approach and can cost less in the long run. PPC strategies work, but they stop as soon as you stop paying. Creating Quality Content, Building Brand Awareness and Site Authority are things that will last. This is not to say we are against PPC, and a lot of times we will recommend a hybrid approach to take advantage of the short term gains. At the end of the day, this is not an exact science, but the methods and strategies applied correctly will deliver results. Online marketing is changing at a faster rate than ever before and so we must continually change as well.
We are vendor agnostic and can work with any vendor, however, we do have direct partnerships with Microsoft, Dell, Zixcorp, Tawk, GoDaddy, TechData, and others. We currently use Google for advertising and marketing campaigns as 90+% of searches are funneled through their platform, however, we no longer recommend Google for mail or web hosting due to company policies and past privacy concerns. If you have any concerns or questions, send us an email. We would love to chat.
As more companies and websites have been impacted by cyber-security, we only provide full web hosting management. This allows us to have complete control, and complete responsibility for updates and issues related to your site. If you want to host with another provider, we understand, but we will not be able to service your site. We do offer free site migration. Additionally, upon request, you will have access to your site 24/7.
I know you have heard this before, but it is true; every project we take on is unique. Yes there are similarities, but there are a few factors that really make the difference: Bundling, Speed of Delivery, and Internal Application Impact. Even though our process may be very defined, how it applies to our client's is totally different. Set up a discovery call, we promise we won't even talk cost the first time, unless you want to.
For us, it is a matter of involvement. Our consulting services can consist of assessment, strategy development, implementation and/or review, whereas we perform the services. Our coaching approach is more directly focused around the team not the task or project. We tell our clients, the best way to figure out which service they need is to figure out who will be answering most of the question.
Simple answer is no. We are unique in that we are actually in a position to implement our strategies directly and through a network of premier partnerships. Of course, if you wish to just use us for consulting, that is perfectly fine too. He offer ad-hoc, per project and long term plans.