HIPAA Regulatory Compliance

HIPAA Privacy & Security rules and regulations

        Does your organization store, transmit, have access to, use, disclose Protected Health Information (PHI)? 

Do you realize that you must then adhere to strict HIPAA’s rules & regulations?  Do you want to be fully and effectively HIPAA compliant, not to be lost in the “sea” of all those rules, and not be afraid that you might miss some of those?

You are in luck!  We have a solid solution and we can offer a great service for you!

      You may have worked with companies that promise results, but fail to deliver.  SA will help you identify which HIPAA requirements apply to your organization and we will guide you through HIPAA compliance.  SA professional HIPA Advisor who has 20 years of professional experience, will help you every step of the way on your path towards HIPAA compliance.  When you partner with us, you will love and appreciate our detailed work and unmatched support.  We are a local boutique consulting firm based in Irvine, CA

What do we mean by HIPAA compliance? 

              HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Please note that HIPAA applies to both covered entities and to business associates.   A “covered entity” is a health care provider, a health plan or a health care clearing house that, in its normal activities, creates, maintains or transmits PHI. 

            A “business associate” is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity.  Examples of Business Associates include: lawyers, accountants, IT contractors, medical billing companies, cloud storage services, email encryption services, etc.

What are the key HIPAA requirements/Rules that must be met?

      HIPAA Security Rule:  Every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical, and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in another HIPAA’s Rule called the HIPAA Breach Notification Rule.

HIPAA Privacy Rule:  The HIPAA Privacy Rule governs how electronic Protected Health Information (ePHI) can be used and disclosed.  In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearing houses and – from 2013 – the Business Associates of covered entities.  The Privacy Rule demands that appropriate safeguards (i.e. policies and procedures) are implemented to protect the privacy of PHI. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections, if necessary.

       HIPAA Breach Notification Rule:  The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services (DHHS) of such a breach of ePHI and issue a notice to the media, if the breach affects more than five hundred patients. There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via a certain web portal.

HIPAA Enforcement Rule:   The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings.  Please note that the following penalties are imposed:

HIPAA Fines (per each violation):

  • Tier 1—lack of knowledge: The minimum penalty is $100; the maximum penalty is $50,000.

  • Tier 2—reasonable cause and not willful neglect: The minimum penalty is $1,000; the maximum penalty is $50,000.

  • Tier 3—willful neglect, corrected within 30 days: The minimum penalty is $10,000; the maximum penalty is $50,000.

  • Tier 4—willful neglect, not corrected within 30 days: The minimum penalty is $50,000.

NOTE:  Fines are imposed per violation category and reflect the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved.  Penalties can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be noted that the penalties for willful neglect can also lead to criminal charges being filed. Civil lawsuits for damages can also be filed by victims of a breach. 

Did we scare you?  Please, don’t worry!  We are here to help your organization to be HIPAA compliant and never be subjected to those fines!   What we can offer are the following professional advisory/consulting services:

PHASE NO. 1……………………..Introduction and a “Road Map”

1). We will provide you with all relevant information in regards to what HIPAA Privacy and Security is all about (i.e. all of its key elements and nuisances) and then, provide you with a documented Road Map of the key activities you need to start implementing.  We will also help you to develop training materials for your employees/associates, so they too will be familiar with HIPAA. 

PHASE NO. 2……………………..  actual Implementation

2). We will help you document a comprehensive HIPAA Risk Assessment.  Please note that such assessment is considered to be a required element and one of the first things you will be asked to provide evidence of, in case you are audited by the federal government. 

3). We will help you draft and implement needed HIPAA Policies and Procedures.  Again, having such written documents is a must, under HIPAA. 

4). Another required policy and process has to do with addressing, correcting, and notifying the required agencies/bodies of any possible HIPAA-related PHI Breaches. 

5). We will conduct analysis to see which of your systems house PHI.  We will also review and assess your access controls to make sure only authorized individuals have access to this information.  Also, we will assess if PHI is secured, encrypted, backed-up, and protected against malicious hacking attacks, ransom-ware, etc.  To help our analysis and ultimately to help you, we will recommend for you to follow the NIST Cyber Security Framework.



tel:   + 1 914 343 00 62

Mail: rod@sanctionsadviser.com