Who must be HIPAA Compliant, and how can they prepare?

If you are just beginning to learn about HIPAA, you may be wondering, “Who must be HIPAA Compliant?” Up until 2009, the answer was simple: Covered Entities. But when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, it expanded the oversight of the Office for Civil Rights (OCR) to Business Associates. The HITECH Act was passed in 2009 to promote the adoption and meaningful use of health information technology (HIT).

Stephanie Rodrigue Discusses Who must be HIPAA Compliant?

The OCR’s proactive supervision will hold all covered entities and business associates responsible for their own compliance with the laws. According to the Omnibus Rule, business associates are being held directly responsible for their compliance with any relevant HIPAA laws. This means that business associate compliance will be a focus of the coming Phase 2 HIPAA enforcement actions.

Covered Entities are healthcare providers such as doctors’ offices, hospitals, health plans, or healthcare clearing houses. If your business is a covered entity preparing for Phase 2 of the OCR’s HIPAA Audit Program, we recommend that you prepare through Risk Analysis, Risk Management, Breach Reporting, and Privacy Notice and Access. Phase 2 audits of covered entities will focus on:

  • Device and Media Controls
  • Transmission Security
  • Risk Analysis and Risk Management
  • Safeguards and Training on Policies and Procedures
  • Notice of Privacy Practices and Access Rights
  • Breach Notification Content and Timeliness

Business Associates
HIPAA Fines for Business Associatesare the vendors who provide services on behalf of Covered Entities. Right now, the OCR is conducting audits of business associates and assigning fines for lack of HIPAA compliance. For business associates, these audits will focus on Risk Analysis, Risk Management, and Breach Reporting to Covered Entities. If you are a business associate, we recommend that you prepare through:

  • Conducting Security Rule Risk Analysis and Risk Management
  • Reviewing Policies and Procedures related to ePHI vulnerability, accessibility, and integrity
  • Identifying all systems that include ePHI
  • Evaluating security measures to reduce risk
  • Breach Reporting (impermissible acquisition, use, access, or disclosure of ePHI)
  • Evaluating Policies and Procedures

KirkpatrickPrice can service both covered entities and business associates through:

  • Experienced Risk Analysis Practices
  • Policy and Procedure Review
  • Approach Modeled on HIPAA Audit Protocol
  • Expert Information Security Personnel
  • Web-based Portal Experience

If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Who must be HIPAA Compliant? This is a question we get asked from time to time. Up until 2009, the answer was Covered Entities, which are healthcare providers like doctors’ offices and hospitals. But when the HITECH Act passed, it expanded the oversight of the OCR to the Business Associates, which are the vendors who provide services to the Covered Entities.
Right now, the OCR is conducting audits of Business Associates and assessing fines for lack of HIPAA Compliance. If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

What HIPAA Means for Covered Entities and Business Associates

What is HIPAA? How does HIPAA apply to my business and what must I do to ensure I’m HIPAA compliant? Watch as our HIPAA Expert, Stephanie Rodrigue, walks us through the ins and outs of HIPAA and protecting ePHI for covered entities and business associates.

Stephanie Rodrigue Explains HIPAA’s Impact on Covered Entities & Business Associates

What is HIPAA?

HIPAA refers to laws that apply to covered entities and business associates regarding the privacy, security, and accessibility of electronic protected health information (ePHI). Covered entities and business associates use this information to provide services to the public such as medical care, and the filing and billing of medical claims. Covered entities include doctor’s offices, hospitals, healthcare providers, health plans, and healthcare clearing houses. Because these entities are collecting health information directly from the patient, it’s probably obvious that they are responsible for protecting ePHI.

But, there are actually many types of companies providing services such as data storage, analytics, marketing, billing, collections, and practice management that are receiving ePHI from a covered entity and are also responsible to protect ePHI under the HIPAA security and privacy rule. The HIPAA/HITECH Act is enforced by the Office for Civil Rights (OCR) through a required notification, audit, and fine program. If a covered entity or business associate does not have proper safeguards in place to protect ePHI, a breach of this information can occur and fines will be assessed and issued by the OCR.

Understanding how to protect ePHI is a critical responsibility of covered entities and business associates because HIPAA laws dictate how this private information is received, transmitted, and stored and how it is made accessible to the patient.

If you clicked on a video entitled, “What is HIPAA?” then you’re probably pretty new to this topic. So I’d like to start by defining some of the terms that you’re going to encounter. First, HIPAA is an act that was passed in 1996 and updated in 2009 with the HITECH act. And these provide the rules for the privacy and security of protected health information. Protected health information is commonly referred to by the acronym, “PHI”, and it’s the information that’s collected about the health care or payment for healthcare that can be directly linked to an individual.

Covered entities commonly collect this information. These are doctors offices, hospitals, other health care providers, health plans, and health care clearing houses.

Another group that comes into contact with PHI are the business associates and these are people or organizations that provide services on behalf of a covered entity.

I hope that this information provides a little bit of help for you. If you have more questions please feel free to contact us.

The NIST Cybersecurity Framework: A Common Language for Cybersecurity Issues

The cybersecurity realm is overwhelming – the issues, the regulations, the changes, the threats, the persistence. We’re living in a world where we hear about new breaches every day. None of us can possibly know everything about all cybersecurity issues, and that’s okay. We’re all vulnerable and overwhelmed, but that’s no excuse not to prepare and continually develop your organization’s defenses. We believe that the NIST Cybersecurity Framework is a way to start having a language and a method to understanding what the issues are and how they should be dealt with.

The core of the NIST Cybersecurity Framework includes:

  • Functions – Organization of basic cybersecurity activities at their highest level
  • Categories – Subdivisions of a function into groups of particular activities
  • Subcategories – Subcategorizes further divide a category into specific outcomes of technical and/or management activities
  • Informative References – Specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcome

What is the cybersecurity maturity of your organization? It’s an important question to ask and answer honestly, especially when considering the Framework Implementation Tiers:

  • Partial – Informal, reactive, limited awareness
  • Risk Informed – Approved but not implemented, the staff has adequate resources to perform their cybersecurity duties, not formalized in its capabilities to interact and share information externally
  • Repeatable – Risk management is a formal function and updated regularly, changes in business requirements are reflected in the organization-wide cybersecurity practices, your organization understands its dependencies on partners and interacts accordingly
  • Adaptive – The cybersecurity practices adapt based on lessons learned and predictive indicators which results in continuous improvement, adapts to a changing landscape in a timely manner, cybersecurity risk management is part of the organizational culture, communication, and interaction with partners occurs before a cybersecurity event occurs

Healthcare organizations desperately need individuals who will volunteer to lead the conversation about cybersecurity issues; you don’t have to be a cybersecurity expert, just a good communicator. Our hope? In 5 years, everyone within an organization will understand the language of cybersecurity and will be involved in the cybersecurity conversation. It’s not just IT’s issue, or an executive’s responsibility, or the administration’s problem. Can you be the person at your organization to step up and lead the conversation?

To learn more about our HIPAA compliance services, contact us today.

3 Things to Know About Protecting ePHI

This session gives an overview of the Security Rule, which is one of the most familiar aspects of HIPAA Compliance. The goal of the Security Rule is to create security for electronic Protected Health Information (ePHI) by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of this regulation, it’s vital to learn about scope, the flexibility of approach, and the three types of safeguards.


The Security Rule only applies to ePHI. Paper PHI is not within the scope of the Security Rule. This doesn’t narrow the scope, but instead tailors it to specific issues, vulnerabilities, costs, and approaches related to the integrity and security of ePHI.

Flexibility of Approach

All the requirements are the same, but the way that an entity complies with those requirements is different depending on the entity-specific considerations. There’s some flexibility when considering required versus addressable implementation specifications under each of the three types of safeguards. The Security Rule says there are some implementation specifications that you must comply with and there is no alternative method. There are also some addressable implementation specifications that allow an entity to choose an alternative or equivalent compensating control.


There are three types of required safeguards to protect ePHI: administrative, technical, and physical. Administrative safeguards cover personnel, training, access and process. Technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover access, workstations, and devices.

To learn more about the HIPAA Security Rule, contact us today and speak to an expert.