HIPAA/HITECH

HIPAA Compliance Support

Our health records and related information contain very sensitive data.  Unauthorized disclosure of this information could lead to steep governmental fines, client loss, and ruined reputations.  To avoid these, Lunarline’s expert Healthcare Department can support your organization in becoming fully compliant with all aspects of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. 

The Security Rule created Administrative, Physical, and Technical Safeguards.  These Safeguards set forth controls that protect the confidentiality, integrity, and availability of Protected Health Information in electronic form (ePHI) that covered entities create, receive, or maintain.  Security Rule compliance is achieved when all necessary controls and requirements are met in light of the nature and complexity of your organization and its information system(s).  This is where Lunarline’s expertise is utilized, and our unique Security Rule compliance approach is robust, adaptable, and efficient.

Lunarline’s Security Rule consulting services break down into a two-phased approach. The first phase is the Gap Analysis.  During this phase we determine your organizations’ overall compliance “health,” and during site visits and interviews, we:

  • HIPAAGain foundational system knowledge
    and determine uses of PHI and ePHI across all lines of business.
  • Create a baseline of current security requirements and privacy practices, including employee training.
  • Identify deltas between HIPAA/
    HITECH requirements and your company’s associated implementations
    via system testing.
  • Develop the Gap Analysis Report that specifically outlines the weaknesses present in your system(s).

Building from the Gap Analysis Report, the second phase is the Technical Risk Assessment. The Risk Assessment will identify the required remediations necessary to attain compliance based on the Security Rule and your specific environment.  It includes:

  • Determining whether or not the implementation of non-compliant requirements is Required or Addressable;
  • Assessing impact of accepting risk vs. fixing the risk;
  • Evaluating the likelihood that existing vulnerabilities will be exploited;
  • Developing strategy for how selected weaknesses will be remediated and extent of residual risk, if any;
  • Building the Risk Assessment Report, based on the above findings, and beginning remediation efforts.

Unlike the technically-based Security Rule, the Privacy Rule outlines the required, permitted, and authorized use and sharing of clients’ PHI. The Privacy Rule is concerned with policy and procedure, and ensuring your personnel understands how to handle individual’s PHI lawfully.

As part of its Privacy Rule compliance services, Lunarline will initially identify the existing inventory of privacy policy documentation maintained by your organization. That documentation will be thoroughly reviewed so we may ascertain the extent to which your organization is Privacy Rule compliant.  From there, we will build a Privacy Policy Report that specifically explains what policies and procedures are missing and/or incomplete, and the steps necessary to become compliant.  Finally, Lunarline will create new and edit existing policies as needed, consistent with the Privacy Policy Report.

In addition to Security Rule and Privacy Rule support, Lunarline offers comprehensive Breach Notification Rule (BNR) compliance services.  The BNR creates several discrete and nuanced requirements that govern how a data breach must be handled.  This includes knowing if an incident meets the definition of a HIPAA “breach,” who needs to be notified, how such notice is to be provided, and determining remediation activities.  We can draft BNR policies and procedures that are specific to your organization and that adhere to the specific requirements of HIPAA.  We can also provide BNR training to staff, including users, executives, HR, legal, and other key departments.

HIPAA Omnibus Final Rule

No modern-day discussion of HIPAA would be complete without at least making reference to the Omnibus Rule.  With the passage of the HIPAA Omnibus Final Rule in 2013, key elements from the HITECH Act supplemented HIPAA in a few important ways.  First, HITECH substantially increases the governmental penalties that can be assessed for non-compliance with HIPAA.  Second, HITECH specifically includes “business associates” as a covered entity subject to the rules of HIPAA.  Finally, HITECH provides the Breach Notification Rule, which mandates that prompt notice must be given to individuals if the security of their PHI is breached.  Lunarline’s substantial knowledge of the complexities of HIPAA in the post-Omnibus compliance setting results in a comprehensive consulting engagement that ensures full compliance with all applicable regulations.

Lunarline is a company of experts.  Our industry-leading Healthcare Department will be glad to discuss the state of your company’s HIPAA compliance.  Please contact us at (571) 481-9300.